17
Securing IoT Medical Devices Steven C. Markey, MSIS, PMP, CISSP, CIPP/US , CISM, CISA, STS-EV, CCSK, CCSP, Cloud + Principal, nControl, LLC Adjunct Professor
| Date post: | 15-Aug-2015 |
| Category: |
Documents |
| Upload: | steve-markey |
| View: | 6 times |
| Download: | 0 times |
Securing IoT Medical Devices
Steven C. Markey, MSIS, PMP, CISSP, CIPP/US , CISM, CISA, STS-EV, CCSK, CCSP, Cloud +
Principal, nControl, LLCAdjunct Professor
Source: NECCRSource: Fitbit
Source: HealthInfoSec
Securing IoT Medical Devices
• Presentation Overview– IoT? Huh….– Vulnerabilities & Exploits– Security / Privacy by Design– Where Do We Go From Here?
Securing IoT Medical Devices
• IoT? Huh....– IoT = Internet of Things
• Ubiquitous Connectivity (e.g., 802.11, 802.15, 3G / 4G, WMTS)– BTLE = Bluetooth Low Energy
• Data Portability / Interoperable Data Syncing– EDI = Electronic Data Interchange
• Redundant Technologies & Methods– Java, Linux, Open-Source APIs, etc.– Cocoa Touch Layer, etc.
– Medical / Healthcare Esoteric Language & Nuances• WMTS = Wireless Medical Telemetry Services• Regulatory Requirements: HIPAA / HITECH, FDA• Healthcare Digitization: PPACA (i.e., Obamacare)
– ICD-9 / 10 for US = EDI
Securing IoT Medical Devices
• Vulnerabilities & Exploits– Data in Motion (DIM) Challenges
• (Distributed) Denial of Service = DDoS / DoS– Disable Device Remotely – Dick Cheney’s Heart via WiFi
• Man in the Middle (MITM) – Sniff / Alter Packets– Economic DoS (EDoS)
– Data in Use (DIU) Challenges• DLP = Data Loss Protection / Prevention
– Is sandboxing that effective?
– Data at Rest (DAR) Challenges• Jailbreaking• Crack Weak Cryptography
– Ubertooth & Crackle – Encryption Key for BTLE
Securing IoT Medical Devices
Source: Flickr
• Security / Privacy By Design– Security / Privacy Requirements– Threat Modeling– Misuse Cases– Compensating Controls
Securing IoT Medical Devices
• Security / Privacy By Design– Security / Privacy Requirements
• Access Controls– Mobile Medical Applications (MMAs)
» Sandboxed w/ Strong Password Protections– Wearable Medical Devices (WMDs)
» Self-Contained w/ DLP Protections» Single Connections Only» BTLE for MAC Address Hopping
– Embedded Medical Devices (EMDs)» Secure, Configurable, Intuitive GUIs – Like a Wireless Router» Self-Contained w/ DLP Protections» Single Connections Only» BTLE for MAC Address Hopping
Securing IoT Medical Devices
• Security / Privacy By Design– Security / Privacy Requirements
• Cryptography– Masked Sync Data Logs– Strong Encryption / Hashing for DAR / DIM / DIU
» Obfuscate Encryption Key – Fitbit & Separate BTLE Protocol– Transparent Data Encryption (TDE)
» Follow the Apple Model– Homomorphic Encryption (HE)– Certificate-Less Authenticating Encryption (CLAE)
» Device MAC Address Changes» Portability
Securing IoT Medical Devices
• Security / Privacy By Design– Threat Modeling
• Multiple Attack Surfaces• Performance / DDoS / Quality of Service (QoS)• Nonrepudiation – Data, Patches• False Positives – Alerts, Data Transfer• Data Retention• Device Tampering
Securing IoT Medical Devices
Source: Fitbit
• Security / Privacy By Design– Misuse Cases
• EDoS– Insurance– Clinical Visits
• Physiological / Psychological Stress• Device Misconfiguration
– Data Loss– Transaction Integrity
• Geo-Tracking• Erroneous Data
– Dead Code / Data Points
Securing IoT Medical Devices
• Security / Privacy By Design– Compensating Controls
• SOC for Private Cloud• SIEM Operational Awareness
– Tokenize Physical Address
• DLP• IAM• MDM / MAM• Physical Access Controls
– Fitbit’s JTAG Fuse
Securing IoT Medical Devices
Securing IoT Medical Devices
• Where Do We Go From Here?– National / Industry / Workgroup Standards
• FDA• HIMSS• HITRUST• NIST
– Thought Leadership• OWASP• ISC2• ISSA
– Device Certification / Attestation• FDA• HITRUST
Securing IoT Medical Devices
Securing IoT Medical Devices
Source: HealthInfoSec
• Questions?• Contact
– Email: [email protected]– Twitter: @markes1– LI: http://www.linkedin.com/in/smarkey